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SYgTEM FOR PROTECTIKG COMPTCTgRS yjft 
TNTKT.T.TWFirr TOKEWS OR SMAIW ffa^nc 
BaOcqround of the Invani^jftn 
5 This Invention relates to reducing the possibility 

of corruption of critical information required in the 
operation of a con^ter system. In particular, the 
invention is aimed at preventing boot-sector computer 
viruses and protecting critical executable code from 
10 virus infection. 

The process of starting up a computer, i.e., 
>***?^^n? boot-strapping a coaqsuter is veil known, but 
we describe aspects of it here for the isake of clarity 
and in order to define certain terms and outline certain 
15 problems which are solved by this invention. 

Pig. 1 depicts a typical con^uter system lo with 
central processing unit (CPU) 12 connected to memory 14. 
Display 18, keyboard 16, hard disk drive 17, and floppy 
disk drive 19 are connected to computer system lo. 

A typical coB^uter system such as shown in Fig. i 
uses a program or set of programs called an operating 
syptgm (OS) as an interface between the underlying 
hardware of the system and its users. A typical OS, 
e.g., MS-DOS Version 5.0, is usually divided into at 
25 least two parts or levels. The first level of the OS, 
often referred to as the kernel of the OS, provides a 
number of low-level functions called OS primitives which 
interact directly with the hardware. These low-level 
primitives include, for example, functions that provide 
30 the basic interface programs to the coa^uter system's 
keyboard 16, disk drives 17, 19, display 18, and other 
attached hardware devices. The OS primitives also 
include programs that control the execution of other 
programs, e.g., programs that load and initiate the 
35 execution of other programs. Thus, for exaiq>le, if a 



wo 93/17388 



PCr/US93/0167S 



- 2 - 

user %ris]ies to run a voird-processlng program or a game 
program, it is the primitives in the OS kernel which load 
the user's program from a disk in one of the attached 
disk drives 17, 19 into the coaster system's memory 14 
5 and begins executing it on CPU 12. 

The second level of the OS typically consists of a 
number of executable programs that perform higher-level 
(at least from a user's perspective) system related 
tasks, e.g., creating, modifying, and deleting computer 

10 files, reading and writing computer disks or tapes, 

displaying data on a screen, printing data, etc. These 
second^level OS programs make use of the kernel's 
primitives to perform their tasks. A user is usually 
unaware of the difference between the kernel functions 

15 and those ^rtiicdi are performed by other programs. 

A third level of the OS, if it exists, might 
relate to the presentation of the OS interface to the 
user. Each level makes use of the functionality provided 
by the previous levels, and, in a well designed system, 

20 each level uses only the functionality provided by the 
immediate previous level, e.g., in a four level OS, level 
3 only uses level 2 functions, level 2 only uses level 1 
functions, level 1 only uses level 0 f\inctions, and level 
0 is the only level that uses direct hardware 

25 instructions. 

Pig. 2 depicts an idealized view of a four level 
OS, with a level for hardware (level 0) 2, the kernel 
(level 1) 4, the file system (level 2) 6, and the user 
interface (level 3) 8. 

30 An OS provides computer ixsers with access and 

Interface to a con^uter system. Operating systems are 
constantly evolving and developing to add improved 
features and interfaces. Furthermore, since an OS is 
merely a collection of programs (as described above) , the 

35 same coB^niter system, e.g. that shown in Fig. 1, can have 
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a different bs irunnlng on it at different times. For 
exan^ile, the sane TBH personal compttter can run a 
comaand-line based OS, e.g., MS-DOS V5.0, or a graphical, 
icon based OS, e.g., MS-Windows 3.0. 
5 In order to deal with the evolution of operating 

systens (as well as to deal possible errors in existing 
operating systems) computer system manufacturers have 
developed a multi-stage startup process, or boot process, 
for coiq>uter6. Rather than build a veirsion of the OS 
10 into the system, the multi-stage boot process works as 
follows: 

A feoQt progrflB is built into the computer system 
and resides permantotly in read-only memory (ROM) or 
programmable read-only memory (PRO!) (which is part of 

15 memory 14) on the system. Referring to Pig, 4, a 

coB^uter system's memory 14 can consist of a combination 
of Random Access Memory (RAM) 24 and ROM 26. The ROM (or 
PROM) containing the boot program is called the boot row 
28 (or frpot PRQM) • A boot program is a series of very 

20 basic instructions to the computer's hcurdware that are 
initiated whenever the computer system is powered up (or, 
on some systems, %Aienever a certain sequence of keys or 
buttons are pressed). The specific function of the boot 
program is to locate the OS, load it into the con^aiter's 

25 memory, and begin its execution. These boot programs 
Include the most primitive instructions for the machine 
to access any devices attached to it, e.g., the keyboard, 
the display, disk drives, a CD-ROM drive, a mouse, etc. 

To simplify boot programs and to make their task 

30 of locating the OS easy, most computer system 

manufacturers adopt conventions as to where the boot 
program is to find the OS. Two of these conventions are: 
the OS is located in a specific location on a disk, or 
the OS is located in a specific named file on a disk. 

35 The latter approach is adopted by the Apple Macintosh* 
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coBrputer ^ere the boot prograa loote for a file named 
"System" (vhletL contains, e.g., Apple's icon-based 
graphical OS) on dislcs attached to the computer. The 
former approach, i.e., looking for the OS in a particular 
5 location, e.g., on a disk, is the one currently used by 
most I.B.M. personal coo^uters (and clones of those 
systems) . In these systems the boot program looks, in a 
predetermined order, for disks in the various disk drives 
connected to the system (many coi^uter systems today have 

10 a ttranber of disk drives, e.g., a floppy-disk drive, a CD- 
RDM, and a hard-disk drive) . " Once the boot progrzun finds 
a disk in a disk drive, it looks at a particular location 
on that disk for the OS. That location is called the 
boot eeefcor of the disk. 

IS Referring to Pig. 3, a physical disk 9 is divided 

into tracks idiich are divided i:^ into sectors li (these 
may actually be physically marfced, e.g. , by holes in the 
disk, in which case they are called hard-sectored, but 
more t^ically the layout of a disk is a logical, i.e. 

20 abstract layout). The boot aeetor is always in a 
specific sector on a disk, so the boot program knows 
^ere to look for it. Some systems will not allow 
anything except an OS to be written to the boot sector, 
others assume that the contents of the boot sector could 

25 be anything and therefore adopt conventions, e.g., a 
signature in the first part of the boot secstor, that 
enables the boot program to determine whether or not it 
has found a boot sector with an OS. If not it can either 
give i;^ and warn the user or it can try the next disk 

30 drive In its predetermined search sequence. 

Once the boot program has determined that it has 
found a boot sector with an OS (or part of an OS) , it 
loads (reads) into memory 14 the contents of the boot 
sector and then begins the execution of the OS it has 
35 just loaded. When the OS begins execution it may try to 



wo 93/17388 



PCr/US93/01675 



- 5 - 

locate more files, e.g., the second level files described 
above, before it allows the user access to the system. 
For exa]q>le, in a DOS*based system, the program in the 
boot sector, when executed, will locate, load into 
5 memory, and execute the files, XO.SYS, MSDOS.SYS, 

COMKAND.COM, CONFIG.SYS, and AUTOEXEC.BAT. (Similarly, 
in a nulti-^level system, each level loads the next one, 
e.g., the Hewlett-Packard Unix* -like System HFUX has at 
least 4 levels i^ich get loaded before the user is 

10 presented with an interface to the computer system.) 

The process of booting a computer system is 
sometimes called the boot sequence > Sometimes the boot 
sequence is used to refer only to the process executed by 
the first boot program. 

15 ^ ^ CoB^uter viruses aimed at personal computers (PCs) 
have proliferated in recent years. One class of PC 
viruses is known as boot infectora. These viruses infect 
the boot-sectors of floppy or hard disks in such a way 
that when the boot sequence of instructions is initiated, 

20 the virus code is loaded into the computer's memory. 

Because execution of the boot sequence precedes execution 
of all application programs on the computer, antiviral 
software is generally uneUDle to prevent execution of a 
boot-sector virus. 

25 Recall, from the discussion above, that the boot 

program loads into memory the code it finds in the boot 
sector as long as that code appears to the boot program 
to be valid. 

In addition to the boot infector class of viruses, 
30 there is another class of viruses called file infectors 
whicii infect executable and related (e.g., overlay) 
files. Each class of virus requires a different level or 
mode of protection. 

File infector viruses typically infect executable 
35 code (programs) by placing a copy of themselves within 
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the program; when the infected program is executed so is 
the viral code. In general, this type of virus code 
spreads by searching the coB«»uter's file system for other 
executables to infect, therebr spreading throughout the 
5 co]q>uter E^ystem. 

One way that boot-sector viruses are spread is by 
copying th^nselves onto the boot-sectors of all disks 
used with the infected computers. When those infected 
disks are subse^ently used with other computers, as is 

10 often the case with floppy disks, they transfer the 
infection to the boot-sectors of the disks attadhed to 
other machines, some boot-sector viruses are also file 
infectors. These viruses copy themselves to any 
executable file they can find, in that way, ^en the 

15 infected file is executed it will infect the boot sectors 
of all the disks on the computer system on irtiich it is 
running. 

Recall, from the discussion above, that an OS may 
consist of a number of levels, some of which are loaded 
tram a boot sector, and others of which may be loaded 
into the system from other files on a disk. It is 
possible to infect an OS with a virus by either infecting 
that part of it the resides in the boot sector (with a 
boot-sector virus) or by infecting the part of it that is 
loaded from other files (with a f ile-inf ector virus) , or 
both. Thus, in order to maintain the integrity of a 
caiii>uter operating system and prevent viruses from 
infecting it, it is useful and necessary to prevent both 
boot-sector and f ile-inf ector viruses. 

Work to develop virus protection for computers has 
often been aimed at PCs and workstations, which are 
extremely vulnerable to virus infection. The many 
conmercial packages available to combat and/or recover 
from viral infection attest to the level of effort in 
35 this area. 



20 



25 



30 



wo 93/17388 



PCr/US93/0I675 



- 7 - 

Dlifortunately, coa^uter virus authors produce new 
versions and strains of virus code far more rapidly tluui 
prograns can be developed to identify and combat them. 
Since viruses are typically recognized by a "signature", 
5 i.e., a unique sequence of instmictions, new viral code 
nay at times be difficult to identify. Existing 
signature-based virus detection and eradication programs 
require knowledge of the signature of a virus in order to 
detect that virus. 

10 Current systems employ different strategies to defend 
against eacdi type of virus. In one of these strategies 
to protect against boot infectors, first a clean 
(uninfected) copy of the boot-sector is made and kept on 
a backup device, e.g., a separate backup disk. 

15 Subsequent attempts to write to the boot-sector are 

detected by the anti-viral 8oft«rare in conjunction with 
the OS and the user is warned of potential problems of 
viral infection, since reading from and writing to a 
disk is a function performed by the OS kernel, it knows 

20 when a disk is written to and which part of the disk is 
being written. Anti-virus software can be used to 
monitor every disk write to catch those that attempt to 
modify the boot sector. (Similarly, in systems \rtiich 
keep the OS in a particular named file, every attempt to 

25 modify that file can be caught) . At this point, if the 
boot-sector has been corrupted the user can replace it 
with a clean copy from the backup disk. 

To inhibit file infectors an Integrity check, 
A ehceksuin is calculated and maintained of all 

30 executablee on the system, so that any subsequent 

modification may be detected. A checksum is typically an 
integral value associated with a file that is some 
function of the contents of the file. In the most common 
and siii5)le case the checksum of a file is the sum of the 

35 integer values obtained by considering each byte of data 
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in the file as an integer value. Other more can^^licated 
scshemes of determining a checksum are possible, e.g», the 
sum of the bytes in the file added to the size of the 
file in bytes. Whatever the scheme used, a change in the 
5 file will cOmost always cause a corresponding change in 
the cihecksum value for that file, thereby giving an 
indication that the file has been modified. If a file is 
found with a changed chedcsum, it is assumed to be 
infected. It can be removed from the con^ter system and 

10 a clean copy, can restored from backup. 

Many viruses use the low-level primitive functions 
of the OS, e.g., disk reads and writes, to access the 
hardware. As mentioned above, these viruses can often be 
cauc^t by anti-viral software that monitors all use of 

15 the OS^^s primitives. To further complicate matters 

however, some viruses issue machine instructions directly 
to the hardware, thus avoiding the use of OS primitive 
functions. Viruses which issue instructions directly to 
the hardware can bypass software defenses because there 

20 is no way that their activities can be monitored. 

Further, new self-encrypting (steeath) viruses may be 
extremely difficult to detect, and thus may be overlooked 
by signature recognition programs. 

One approach to the boot integrity problem is to 

25 place the entire operating system in read-only memory 

(ROM) 26 of the cos^uter 10. However, this approach has 

disadvantages in that it prevents modifications to boot 
information, but at the cost of updatability. Any 
i^>grades to the OS require physical access to the 
30 hardware and replacement of the ROM chips. It is also 
the case that as operating systems become more and more 
sophisticated, they become larger and larger. Their 
placement in ROM would require larger and larger ROMs. 
If user authentication is added to the boot program. 
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passwords may be difficult to change and operate on a per 
nachlne rather than a per user basis. 

Sone Operating Systems have so-called login 
programs which require users to enter a password in order 
5 to use the system. These login programs, whether stand- 
alone or integrated with an antiviral program, suffer 
from the same timing issues as previously mentioned. 
Also since most PCs provide a means of booting from 
alternate devices, e.g., a floppy disc drive, login 

10 programs can often be trivially defeated. 

ff^n^f ^ of the Invention 
In general, in one aspect, the invention features 
reducing the possibility of corruption of critical 
information required in the operation of a computer, by 

15 storing the critical information in a device; 

comounicating authorization information between the 
device and the computer; and causing the device, in 
response to the authorization information, to enable the 
computer to read the critical information stored in the 

20 device. 

Embodiments of the "invention include the following 
features. The authorization information may be a 
password entered by a user and verified by the device (by 
cos^^arison with a pr-e-stored password for the user) ; or 

25 biometric information (e.g. a fingerprint) about a user. 
The device may be a pocket-sized card containing the 
microprocessor and the memory (e.g., a smartcard) . The 
critical information may include boot-sector information 
used in starting the cos^uter; or executable code; or 

30 system data or user data; or file integrity information. 
The counter may boot itself from the critical 
information read from the device by executing modified 
boot code (stored as a BIOS extension) in place of normal 
boot code. 
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The device may pass to the coaster secret 
information shared with the computer (e.g. , a host access 
code) ; the computer validates the shared secret 
information. The authorization information may be file 
5 signatures for executable code; or a user's cryptographic 
key. 

A communication link between the device and the 
coii5>uter carries the authorization information and the 
critical information. 
" In general, in another aspect, the invention 

features initializing a device for use in reducing the 
possibilil^ of corrt^tion of critical information 
required in the operation of a con^uter, by storing the 
critical information in memory on the device, storing 
15 authorization information in memory on the device, and 
configuring a microprocessor in the device to release the 
•"^tioal information to the counter only after 
completing an authorization routine based on the 
authorization information. 
^° In general, in another aspect, the invention 

features a portable intelligent tdken for use in 
effecting a secure startup of a host computer. The token 
includes a housing, a memory within the housing 
containing information needed for startup of the host 
25 computer, azid a communication chazmel for ea.lowing the 
memory to be accessed externally of the housing. 

In embodiments of the invention, the memory also 
contains a password for authorization, and a processor 
for oon^aring the stored password with externally 
30 sillied passwords. The memory may store information 
with respect to multiple host cos^iut^s. 

Among the advantages of the invention are the 
following. 

OSie invention provides extremely powerful security 
35 at relatively low cost, measured both in terms of 
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purchase price and setup time. The additional hardware 
required is nominal, initial setup is one-time only, and 
upgrades require no heurdvare access— 'provided the user 
has the proper authentication. The invention obviates 
5 the need to defend against boot infectors and greatly 
reduces the risk to selected executables. The invention 
eliminates the PC's vulnerability to boot infectors, 
ensures the integrity of selected data, and guarantees 
the reliability of executables i^>loaded from the 

10 snartcard. Due to the authentication which occurs in the 
boot sequence, the possibility of sabotage or 
unauthorized use of the PC is restricted to those users 
trtio possess both a properly conf igtired smartcard and the 
ability to activate it. 

15 Other advantages and features will become apparent 

from the following description and from the claims. 

DeserlPtlon 

Pig. 1 is a diagram of a typical computer system 
using the invention; 
20 Pig. 2 depicts the levels of an operating system; 

Fig, 3 shows the layout of a computer disk; 

Pig. 4 is a view of the memory of the computer 
system shown in Fig. l; 

Pigs. 5-6 show, schematically, a smartcard and its 

25 memory; 

Pigs. 7-10 are flow diagrams of boot processes. 
The invention makes use of so-called intelligent 
tokens to store a protected copy of the file that is 

usually stored in a disk boot sector, along with other 

30 file integrity data. 

Intelligent tcdcens are a class of small (pocket- 
sized) computer devices which consist of an integrated 
circuit (IC) mounted on a transport medium such as 
plastic. They may also Include downsized peripherals 

35 necessary for the token's application. Examples of such 
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peripherals are keypads, displays, and biometric devices 
(e.g. , thumbprint scanners) . The portability ot these 
tokens lends itself to security-sensitive applications. 
A subclass of intelligent tokens are IC cards, 
5 also knottn as smartcards. The physical characteristics 
of s m a r tcards are specified by The International 
standards Organization (ISO) (described in International 
Standard 7816-1, Identification Cards - Integrated 
Circuit (s) with Contacts - Physical Characteristics, 
10 International Standaards Organization, 1987) . m brief, 
the standard defines a smartcard as a credit card sized 
piece of flexible plastic with an IC embedded in the 
upper left hand side. ComBunication with the smartcard 
is accomplished through contacts which overlay the IC 
15 (described in International standard 7616-2, 

Identification Cards - Integrated circuit (s) with 
Contacts - Dimensions and Location of the Contacts, 
International Standards Organization, 1988) . Further, 
ISO also defines multiple communications protocols for 
20 issuing commands to a smartcard (described in 

International Standard 7816-3, Identification Cards - 
Integrated Circuit(s) with Contacts - Electronic Signals 
and Transmission Protocols, International Standards 
Organization, 1989). While all references to smartcards 
25 here refer to ISO standard smartcards, the concepts and 
applications are valid for intelligent tokens in general. 

The capability of a smartcard is defined by its 
IC. As the name htplLea, an integrated circuit consists 
of multiple cou^onents combined within a single chip. 
30 Some possible components are a microprocessor, non-static 
random access memory (RAM) , read only memory (ROM) , 
electrically programmable read only memory (EPROM) , 
nonvolatile memory (memory whicdi retains its state when 
current is removed) such as electrically erasable 
J5 programmable read only memory (BEPROH) , and special 
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purpose coprocessor (E ) . The chip designer selects the 
coaponents as needed and designs the chip mask. The chip 
inasJc is biurned onto the substrate material, filled with a 
conductive material, and sealed with contacts protruding. 
5 Pig, 5 depicts a typical smartcard 22 with IC 32 

which contains a CPU 34 and memory 36. Memory 36 is made 
tq> of a ROM 38 and an EEPROM 40. 

The current substrate of choice is silicon. 
Unfortunately silicon, like glass, is not particularly 
10 flexible; thus to avoid breakage when the smartcard is 
bent, the IC is limited to only a few millimeters on a 
side. The size of the chip correspondingly limits the 
memory and processing resources which may be placed on 
it. For exaiqple, EEPROM occupies twice the space of Rcm 
15 while RAM requires twice the space of EEPROM. Another 
factor is the mortality of the EEPROM used for data 
storage, which is generally rated for 10,000 write cycles 
and deemed unreliable after 100,000 write cycles. 

Several chip vendors (currently including Intel, 
20 Motorola, S6S ThoiQ>son, and Hitachi) provide ICS for use 
in smartcards. In general, these vendors have adapted 
■ eight>bit micro-controllers, with clock rates of 

approximately 4 megahertz (Mhz) for use in fitoartcards. 
However, higher performance chips are under development. 
25 Hitachi's H8/310 is representative of the capabilities of 
today's smartcard chips. It provides 256 bytes of RAM, 
10 kilobytes (K) of rm!, and 8K of EEPROM. The 
successor, the H8/510, not yet released, claims a i6-bit 
10 Mhz processor, and twice the memory of the H8/310. it 
30 is assumed that other vendors have similar chips in 
various stages of development. 

Due to these and other limits is^osed by current 
technology, tokens are often built to application- 
specific standards. For example, while there is 
35 increased security in incorporating peripherals with the 



wo 93/17388 



PCr/US93/01675 



- 14 - 

token, the resulting expense and dimensions of self- 
contained tokmis is often prohibitive. Because of the 
downsizing required for token- based peripherals, there 
are also usability issues involved. From a practical 
5 perspective, peripherals may be externally provided as 
long as there is reasonable assurance of the integrity of 
the hardware and software interface provided. The 
thiekness and bend reguirements for smartcards do not 
currently allow for the incorporation of such 
10 peripherals, nor is it currently feasible to provide a 
constant power supply. Thus, today's smartcards must 
d^>end upon externally provided peripherals to supply 
user input as well as time and date information^ and a 
means to display output. Even if such devices existed 
15 for smartcards > it is likely that cost would prohibit 
their use. For most applications it is more cost 
effective to provide a single set of high cost 
ii^t /output (I/O) devices for multiple cards (costing 
$15-$20 each) than to increase smartcard cost by orders 
20 of magnitude. This approach has the added benefit of 
encouraging the proliferation of cardholders. 

Smartcards are more than adequate for a variety of 
applications in the field of conputer security (and a 
number of applications outside the field) . The National 
25 Institute of Standards and Technology (HIST) has 
developed the Advanced Secure Access Control System 
(ASACS) vhlch. provides both symmetric (secret key) and 
asymmetric (public key) cryptographic algorithms on a 
smartcard (described in An Overview of The Advanced 
30 Smartcard Access Control System, J. Dray and D. Balenson, 
Computer Security Division/ Computer Sys1:ems Laboratoiry, 
National Institute of Standards and Technology, 
Gaithersburg, Maryland) . The ASACS utilizes DBS (Data 
Encryption Standard) (described in Data Encryption 
35 Standard ~ FIPS Publication 46-1, National Institute of 
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Standards and Technology (formerly NBS) , Gaithersburg, 
Maryland) for login authentication using the 9.26 
Standard authentication protocol (defined in financial 
Institution Sign-on Authentication For Wholesale 
5 Financial SyBtems [DES-based user authentication 

protocols], ANSI X9.26, X9 Secretariat, American Bankers 
Association, Washington, D.C.). it fxirther offers a 
choice of RSA (described in R. L. Rivest, A. Shamir, L. 
M. Adleman, "A Method for Obtaining Digital Signatures 
10 and Public Key Cryptosysteas," Comnunications of the ACM, 
pp. 120-126, Volume 21, Number 2, February 1978) or DSA 
(described in "Hie Digital Signature Standard Proposed by 
NIST", Communications .of the ACM, Volume 35, No. 7, July, 
1992, pp. 36-40) for digital signatures. 
15 The ASACS card provides strong security because 

all secret information is utilized solely within the 
confines of the card, it is never necessary for a secret 
or private key to be transferred from the card to a host 
coaster; all cryptographic operations are performed in 
20 their entirety on the card. Although the current H8/310 
equipped card requires up to 20 seconds to perform sign 
and verify operations, a new card developed for the 
National Security Agency (NSA) is capable of performing 
the same operations in less than a second. The NSA card 
25 is equipped with an Intel 8031 processor, a Cylink CYSIS 
modular exponentiator (coprocessor) , 512 bytes of RAM and 
16 Kbytes of EEPROM. Since t>oth the RSA and DSA 
algorithms are based on modular exponentiation, it is the 
cylink coprocessor lAiich accounts for the NSA card's 
30 greatly enhanced performance. 

Trusted Information Systems (TIS) , a private 
computer security eon^any, is currently integrating 
smartcards for use with privacy enhanced con^uter mail in 
a product called TI8PEM. A user-supplied smartcard is 
35 used to store the user's private key and in addition 
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provides service calls for digital eignatores and 
encryption so that all operations involving the private 
key are performed on the card. In this way the private 
key need never leave the card. Thus, a TXSPEEi user can 
5 sit down at any terminal which has access to the 

application software (and a smartcard reader) and read 
encrypted mail and send signed messages without fear of 
coa^romising his or her private key. 

Referring to Figs. 5 and 6, in the invention/ a 

10 smartcard' s memory 36 contains an propriety operating 
system and software programs to enforce access control 
(in ROK 38) together with critical information 42, 44, 46 
usually stored in the host's boot-sector, directory, and 
eacecutables (in EEPROH 40) . The amount of memory 

15^ available on the token will dictate the amount of data 
^diich may be stored. In addition, other sensitive or 
private information 48 may be stored to ensure its 
integrity. 

One aspect of I.B.M. personal coo^uters and their 
20 clones is that the computer systems are not all 

identically configured. Some computer systems may have 
devices, e.g., display monitors or optical disks, that 
other systems do not have. Some of these computer 
systems have slots which can accept addin boards which 
25 can be used to enhance the system by, for example 

increasing its speed or the resolution of its display. 

In order to overcome the coii5>lications introduced by non- 
uniformity of computer platforms, a set of functions that 
provide an interface to the low-level input/output (I/O) 

30 system is provided. In the I.B.M. PC systems this system 
is called _the Basic Input Output System (filQS) and 
resides in the EPROM and is loaded by the boot program 
before it loads the program from the boot sector. 

I.B.M. PCs are expandable and can ha ve tow devices 

35 attacOied to them using cards inserted into slots in the 
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conqputer's chassis. A new device or card may need to 
extend the interface to the low-level I/O system, i.e., 
to extend the BIOS. To do this it uses a bios Bvtangj^n - 
Tbe system takes advantage of the following 
5 feature of the PC's boot sequence: after loading the BIOS 
but before loading the boot sector, the boot program 
examines each es^ansion slot in the computer, looking for 
a BIOS extension. If it finds one it hands over control 
to that extension. In a typical PC system the BIOS 

10 extension would load its functions into the system and 
then pass control back to the boot program. After 
checking all extension slots for BIOS extensions the boot 
program then begins looking in the disk drives for a disk 
with a boot sector from t^ieh to boot. 

15 Pig. 7 describes the boot sequence of a PC. When 

the boot sequence is started 50 (either by cycling the 
power of the cooputer or by pressing a particular 
sequence of keys on the keyboard) the boot program in ROM 
28 of the eoB^uter system loads the BIOS code 52 into 

20 memory 14. This BIOS code allows the program to interact 
with attached devices. The boot program then examines 
each slot 54 (by address) in turn to determine if it 
contains a board with a BIOS extension 56. If the boot 
program finds a slot with a BIOS extension then it loads 

25 and executes the code associated with that BIOS extension 
58. After the BIOS extension's code is executed, control 
is passed back to the boot program to examine the next 
slot address 54. fihen all slots have been examined the 
boot program then tries to find a boot disk , i.e., a disk 

30 with a boot sector 60. (I.B.M. PCs are configured to 
look for a boot disk starting in the floppy drives and 
then on the hard drives.) Once a boot disk is found, its 
boot sector is loaded and executed 62. 
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A Smartcard*>Based Ope rating System 
A prototype of the invention, also referred to 
herein as The Boot Integrity Token System (BITS) , has 
been developed to provide computer boot integrity and 
5 enforce access control for an IBM or compatible system 
(PC-BITS) , althou?^ the technology described is 
applicable to a wide variety of other computer systems. 

Referring again to Fig, 1, the basic idea behind 
BITS is that the host computer system 10 will actually 

10 boot itself from a smartcard 22. Since the smartcard 22 
can be readily configured to require user authentication 
prior to data access, it provides an ideal mechanism to 
secure a host computer. Thus, if critical information 
required to con^lete the boot sequence is retrieved from 

15 a smartcard, boot integrity may be reasonably assured. 
The security of the system assumes the physical security 
of the host either with a taa^er-proof or tamper-evident: 
casingi. and the security of the smartcard by its design 
and configuration. If an attacker can gain physical 

20 access to the hardware, it is impossible to guarantee 
system integrity. 

Referring to Figs. 1 and 4-6, the PC-BITS 
prototype consists of an 8-bit addin board 30, a 
smartcard drive 20 (reader /writer) which mounts in a 

25 floppy bay of computer system 10, configuration as well 
as file signature validation software, and a supply of 
smartcards. The board 30 contains a special boot FROM 
which is loaded with a program which interfaces to the 
smartcard reader. Further, the board is configurable to 

30 set an identifier for the host. 

Installation and configuration of the host can be 
accomplished in minutes. The process involves insertion 
of the addiri board and the equivalent of the installation 
of a floppy drive. Once installed, the con?)uter will not 

35 complete the boot sequence without a valid user 
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authentication to a properly configured snartcard. The 
reason for thi& is that the addin board 30 is a BIOS 
Extension board. Recall from the discussion above, with 
reference to Fig. 7, that the boot program loads and 
5 executes any and all BIOS extensions 58 before it looks 
for a boot disk 60. The addin board 30 takes control 
from the boot program when its BIOS extension is loaded, 
but it does not return control back to the boot program. 
Thus, the modified boot process is like that depicted in 

10 Fig. 8, where the process of looking for and loading a 
boot sector does not take place under control of the boot 
program, but under the control of the modified boot 
program on the BIOS Extension card. 

During system startup, two authentications must be 

15 successfully performed to complete the boot sequence. 

First, the user enters a password which is checked by the 
smartcard to confirm that the user is authorized to use 
that card. If successful, thB smartcard allows the FC to 
read the boot-sector and other information from the 

20 smart*card memory. To authenticate the smartcard to the 
host, the card must also make available a secret shared 
with the host, in this case the configurable host 
identifier. Table i illustrates these transactions. If 
both the user and card authentication are successful, the 

25 boot sequence completes, and control is given to the PC 
operating system — some or all of which has been 
retrieved from the smartcard. The user may then proceed 
to utilize the PC in the usual fashion, uploading 
additional information (i.e., applications or application 

30 integrity information) from the smartcard as needed. 
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II Btep 


Action 


Inplementation 


0 


Insert card and power up 
the host 


card 1 


1 


Authenticate user and 
present data to the 
smart card 


Present user password to | 
the smartceurd 1 


1 


Authenticate the card to 
the host 


Host reads shared secret 1 
from the smartcard Q 


1 ^ 


l^load boot iirformation 


Host reads boot-sector 1 
from the smartcard fl 


4 


Integrity check host- 
resident boot 
files and cos^lete boot 
sequence if successful 


Host computes file- fl 
cixecksum lAich the B 
smartcard encTYpts to 1 
form a signature; this B 
value is con^iared with B 
the signature stored on fl 
the card fl 



10 



20 



25 



Table 1: PC-BITS System Startup 

The card is expected to contain critical data such 
as digital file signatures for system executables and the 
user's cryptographic keys. Comparing executable file 
signatures with those stored on the smartcard provides a 
virus detection mechanism which is difficult to defeat. 
This approach is consistent with a recent trend to 
validate file integrity rather than solely scan for known 
15 virus signatures. 

Refer now to Pigs. 9-10, which show the control 
flow of the modified boot sequence from the point of view 
of the counter system and the smartcard respectively. 
The flow diagram in Fig, 9 shows the control flow of the 
modified boot program loaded from the BIOS Extension 
addin card in step 58 (Fig. B) of the original boot 
sequence. Pig. lo shows the processing that occurs 
(during the boot sequence) on the CPU 34 of the smartcard 
22 %rtiile it is in the smartcard reader 20. 

The modified boot program (the BIOS extension) 
prompts the user for a password 60 on display 18. The 
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password is read 62 from keyboard 16 and sent to the 
smart card 22. At the same time, the snartceurd is waiting 
for a password 92. When the smartcard 22 gets a password 
94 from the con^uter system 10 it validates the password 
5 96 using whatever builtin validation scheme comes with 
the smartcard. If the password is invalid then the 
smartcard 22 returns a "NACK" signal 100 to the ccn^uter 
system 10, disallows reading of its data 102 and 
continues to wait for another password 92. (In some 
10 systems a count is kept of the number 6f ' times an invalid 
password is entered, with only a limited number of failed 
attempts allowed before the system shuts down and 
requires operator or administrator intervention.) If the 
password is valid then the smartcard 22 returns an "ACK" 
15 signal 98 to the coa^uter system 10 and allows reading of 
the data in its memoxy and files 104. 

The coiqjuter system lo waits for the response 66 
. 22 and then bases its processing on 

the returned result 68. If the password was invalid 
20 (i.e., the smartcard returned an "NACK" signal) then the 
user is once again prompted for a password 60 (recall 
again the discussion above about limiting the number of 
attempts.) If the password is valid the uset has been 
authenticated to the smartcard and now the computer 
25 system attempts to authenticate the card for the system. 
It does this (in stap 70) by reading a host access code 
46 from EEPROM 40 of the smartcard 22. (The host access 
code is one of the items of data put on the emarteard by 

the system administrator during system configuration.) 

30 The host access code 46 from the smartcard is compared to 
the one that the system has stored about itself 72. If 
they are unequal then this smartcard 22 is not allowed 
for this host computer system 10 and the boot process is 
terminated 74. (Note that this termination ends the 

35 entire boot process - the boot program does not then try 



wo 93/17388 



PCr/US93/01675 



- 22 - 

to boot from a disk) . If the checlc at step 72 finds the 
codes to be ^ual then the card is authenticated to the 
host and the boot sector 42 from EEPRQH 40 of smartcard 
22 is read (step 76) into memory 14 of compiiter system 
5 10. 

Recall that, because of the limited size of the 
memory on smartcards today, it is not yet possible to 
store all the information and files for an OS the size 
of, e.g., MS-DOS on a smartcard. Therefore the other 

10 files will have to be read from a disk or other storage 
device. It is, however, still possible to ensure their 
integrity by thB use of integrity information, e.g., 
checlcsums for the files, stored on the smartcard (by a 
system administrator) . 

^5 m st^ 78 the BIOS Extension program reads thB 

file integrity information 44 from the EEPSOH 40 of the 
smartcard 22. Then, for each file ^ose integrity is 
required, e.g., 10. SYS, etc, the integrity information 
for that file is validated (st^ 80) . If the OS files 

20 are found to be invalid 82 then and error is reported 84 
to the user on display 18. If the error is considered to 
be severe 88 then the boot process terminates 90. (The 
det erminat ion of trtiat constitutes "severe" is made in 
advance by the system administrator based on the security 

25 requirements of the system. In some systems no file 

changes are allowed, in others some specific files may be 
modified, but not oth^s.) 

If the file integrity information is valid (or the 
error is not considered severe) then the boot sector that 

30 was loaded from the smartcard (in step 76) is executed 
86. At this point the boot process will continue as if 
the boot sector had been loaded from a disk (as in the 
unsafe system). 

In the BITS system, cards are configured and 
35 issued by a security officer using the software provided 
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- the current prototype is written in C to improve 
portability. 

Configiiration entails the loading onto the 
smairtcard of the boot sector 42 as veil as digital 
5 signatures for boot files stored on the host 44. At the 
time of issue, it is necessary to specify the machine or 
set of machines 46 that the user to idiom the card is 
being issued will be granted access so that a host key 
may be loaded. File integrity information and portions 

10 of the host operating system are also loaded onto the 

sioartcard at this time 44. All data is read protected by 
the user's authentication (e.g., cannot be read unless 
the user password is presented coxrrectly), and write 
protected by the security officer authentication. This 

15 arrangement-(depicted in Table 2) prevents users from 

inadvertently or deliberately corrupting critical data on 
the smartcard. 

Smartcards may be issued on a per host, per group, 
or per site basis depending on the level of security 

20 desired: Since the secret shared by the host and card is 
configxirable on the host, it is possible to issue 
smartcards in a one-to-one, many-to-one, or m6my*-to-many 
fashion. A one-*to-one mapping of users to hosts 
corresponds to securing a machine for a single user. 

25 Analogously, many-to-one allows the sharing of a single 
machine, and many-to-many allows for the shearing of 
multiple machines among an explicit set of users. One- 
to-many is a possible, but usually wasteful, mapping of 
conputer resources. 
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5 



etmp 


Aotioa 


Zmplementatioa | 


0 


Security officer 
creates user and 
security officer 
accounts on card 


Present manufacturer password J 
and load user-specified secret 
codes for accounts. 




xoacL .Doo u^secuor onwo 
card 


Create a file readable under 
the user password and writable 
under the security officer 
password and write the 
partition boot record. 




l^wjopuve cUlu xoacL 

signatures for 
selected files 


For each file compute a hash 
which is encrypted by the card. 

This sicma^ur*^ ^rvro^HA^ «r44-Vk 

the file name is stored on the 
«ird. 


3 


Load host 

authentication 

information 


Create a file read£Q>le under t 
the user password and writable 1 
under the security officer f 
password and write a secret to 9 
be shared with the host. 1 


Table 2: BITS 8Bart« 


trd Configuration 



The effectiveness of BITS is limited by the 
feaslb^ility of storing all boot-relevant information on a 
smartcard. To the extent this is possible, boot 

10 integrity will be maintained. BITS is not a virus 

checker, however, for those files whose signatures are 
stored on the smartcard, it is possible to detect the 
modification of the file on the host ^stem. Thus the 
user may be notified that an executable is suspect before 

15 it is run. In general BITS will provide enhanced 

con^uter security by utilizing the secure storage and 
processing capabilities inherent to the smartcard. 

Prom a security perspective, the less that a user 
depends i^on from a shared environment, the better. Any 

20 shared writable executable may potentially contain 

malicious code. Fortunately, advances in technology are 
likely to permit the storage of entire operating systems 
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as well as utilities on a smartcard, thus obviating the 
necessity of sharing executables altogether. 

Snartcards themselves nay also be made more 
secure. Currently, authentication to the smartcard is 
5 limited to user-supplied passwords. In most systems , 
three consecutive false presentations results in the 
smartcard account being disabled. However, if biometric 
authentication (e.g., fingerprint chedcs or retinal 
scans) is incorporated into the card, it will be possible 

10 to achieve higher assurance in user authentication. 

To date, the size requirements of smartcards have 
imposed the greatest limitation upon their utility; the 
current state of the art is a 1.0 micron resolution in 
the buxrning of chip masks. However, SGS Thompson and 

15 Phillips recently announced the development of 0.7 micron 
technology as well as plans for a 0.5 micron technology. 
Regardless of these advances, the chips themselves are 
still currently limited to a few millimeters on a side 
due to the brittle nature of the silicon substrate from 

20 which they are made. A flexible substrate might allow 
chips %rtiich occupy the entire s\irf ace of the smartceurd 
resulting in an exponential gain in computing resources. 

A smartcard with this capability would result in a 
truly portable (wallet-sized) personal computer which 

25 could be made widely available at relatively low cost. 
In this type of computing environment only the bulky 
human interface need be shared. A computing station 

might consist of a monitor, a keyboard, a printer, and a 
smartcard interface. The user could walk up to the 

30 computing station, supply the CPU and data storage, and 
begin work. 

The implications of this technology are 
impressive. The existence of instant PC access for 
millions regardless of location would greatly enhance the 

35 Utility of computers. The ability to use the same 
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environment wherever one chooses to work would ellninate 
time spent customizing and increase productivity. The 
security provided by smartcards may also result in 
Increased security for sensitive data by decreasing the 
5 likelihood of compromise or loss. 

Because of the mode in irtiich the invention is 
used, it might be wrongly compared with a boot from 
floppy disk. While it is true that inserting a smartcard 
iR similar to inserting a floppy, the interaction during 
10 the boot sequence is entirely different. The smartcard- 
based system incorporates two separate authentications, 
user to card and card to host, which are entirely absent 
from the floppy boot. Further, the integrity of the boot 
Infonnation on a floppy is protected only by an easily 
15 removed write-protect-tab; while the smartcard requires 
the authentication of the security officer in order to 
update boot information. One may also note the ease of 
carrying a smartcard as compared with a f loppy disk. 

The invention has been installed and tested on a 
20 desktop coii?»uter. However, the system is easily 
generalieable to any computing environment including 
mainframe, microcoij«)uter, workstation, or laptop. The 
intelligent token of choice for this embodiment is a 
smartcard. The reason is that ISO Standard smartcards 
are expected to be the most ubiquitous and consequently 
the least expensive form of intelligent token. 

Appendix A, incorporated by reference, is a source 
code listing of the BIOS Extension code loaded onto the 
memory of the addin board (as described above) written in 
8088 Assembly language. This code may be assembled using 
a Borland Turbo Assembler (TASM*) and linked using a 
Borland Turbo Linker (TLINK-), and run on a AT Bus (iSA 
collectible) computer running a DOS compatible OS. 
^pendix A contains material which is subject to 
copyright protection. The owner has no objection to 
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30 



35 
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facsimile reproduction by anyone of the patent document 
or the patent disclosure, as it appears in the patent and 
Trademark Office patent file or records, but otherwise 
reserves all rights t^atsoever. 
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Copyright rights and all other rights reserved. 



;do8bits.asm Paul C. Clark 

; BOOT INTEGRITY TOKEN. SYSTEM - DOS Version 

5 r BIOS E3Ctension for DOS smartcaurd boot 

; Version 1 

; Useful Defines 

AGK EQU €0h 

ETX EQU 03h 

10 NAK EQU OOOEOh 

OOM1_CTL_REG EQU bb3FGh 

OaMlJ)ATA_SE6 EQU 003F8h 

COMl_STAT_KEG EQU 003FDh 

STACKAREA EQU 06000h 
15 SCRATCHASBA EQU OTOOOh 

PBBAddress EQU 07C00h 

FRDAddress EQU 0C007h 



20 



25 



30 



35 



Segment Para Public 'Code' 
Assume CS:Cseg 
Org a3h 
after extension 



40 



increment 



stack 



MOV 


BX,SP 


Hov 


CX,SS 


Push 


BX 


Push 


CX 


Mov 


AX, STACKAREA. 


Mov 


SS,AX 


Mov 


SP^OOOOh 


Mov 


AX,SCRAICHAIIEA 


Mov 


ES,AX 


Push 


C5 


L model 




Pop 


DS- 


Sti 




Cld 




Call 


Main 


Pop 


CX 



;c6de starts 

ature and length 
;Save stack 

fSet up nev stack 

;Set soratch area 
;Data seg » Code 



; Allow breaks 
;Set direction to 



;Re&tore original 



Pop 
Mov 



BX 

ss,cx 
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Mov SP,BX 
Jtap IntlSHdl 



Label Near 
DB OCBh 



5 opcode 

; Mov Aa,4Ch 

control to DOS 

; INT 2Ui 



; Execute the PER 

;Par return 
; Return 



10 ; Identify BIOS extension 

• 

0 



DB 'ROM BIOS Extension for DOS BITS ' 

DB 'Version 1 ' 



15 



Main Program 



20 



25 



30 



Main 
port 

for dialog 



subtitle 



Proc 


Near 




Call 


InitPort 




Call 


ClrScr 




Call 


DravBox 




Mov 


DX,071Ah 




Mov 


SI, off set 


STitle 


Call 


StrScr 




Mov 


DX,081Eh 




Mov 


SI, off set 


SSTltle 


Call 


StrScr 




Mov 


DX,OAlDh 




Mov 


SI, offset 


Inert Crd 


Call 


StrScr 




Call 


WaltCard 




Call 


GetPwd 





oard 

35 is inserted 
password 

Mov AX,SCRATCHAR£2V 
Mov ES.AX 
40 Call ReadPbr 

install PBR from card 

Mov DX.OClAh 



; Initialize COM 

; Clear screen 
;Drav the frame 



.•Display title 
; Display 

; Prompt iiser for 

;Hait tintil card 
fGet and present 

;Read and 



Copyright rights and all other rights reserved. 
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lo 



20 



Mov 


SI,. offset Erase 


nessacfe 




Call 


StrScr 


Mov 


DX, OClAh 


file Checlcin? 




Mov 


SI, offset PileChlc 


Call 


StrScx 


call 


COclO 






Call 


ChkMSOOS 


integrity 




Call 


ChkCMD 


COHM&IID.COH integrity 


Call 


ChkCFGSYS 


CONFIG.SYS integrity 




Mov 


DX, OClAh 


Mov 


SI, offset Erase 


Chedc message 




Call 


StrSer 


Call 


ClrScr 


Mov 


SI, off set PoverOff 


frail card 


Call 


CReaderCom 



;PC bangs part way througb boot process 
25 tecbniqpiel Heeds fixl 
; Xor 
19 handler with 

; Mov 

PBR 

30 ; Lea 
^ere the PBR is 

Mov 
Push 
Pop 



AX, AX 
OS, AX 

AX,PBSAddress 



; Erase load 
;Notify user of 

; Check 10. SYS 
; Check MSDOS.SYS 
; Check 
; Check 

/Erase file 

/Remove power 

using this 

/Replace IMT 
/address of 
/Jump to 



35 



Mov 
Int 



DS: [0064], AX 

cs 

AX 

DS: [0066], AX 
19 



Main 



Ret 
Endp 



40 



Internet 19 (Warm Boot) Handler 

- ^ecute PBR loaded from card. 



IntlSHdl 



Proc 
Sti 



Far 



Copyirl^t rights and all other rights TBserved. 
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0000:7C00 
Intl9Hdl 



DB 

EndP 
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0EAh,00h,7Ch,00h,00h ;Far JMP to 



10 



15 



20 



Initialize CQKi: 9600, N, 8,1 
InitPort 



service 0 



InitPort 



Proc 


Neeu: 


Push 


AX 


Push 


DX 


Kov 


AH, 00 


MOV 


AL, 11100011b 


data 




Mov 


DX, 0000 


Int 


14h 


Pop 


DX 


Pop 


AX 


Set 




Endp 





; Interrupt 14 
;.9600 baud, no 
;CC»fi: 



Wait for card to be inserted 

Near 



25 WaitCard 
WaitLoop 

30 

reader 



Proc 
Cli 

Label 
Push 



Near 
DS 



Mov SI, offset InitRdr /Initialize 



Call 

Mov 

Call 

35 Mov 

call 
Mov 

to card 

Call 

40 Mov 

Mov 
Mov 
Lodsb 
Cmp 

45 code is 4 bytes. 

Pop 

there I 



CReaderCom 

81, offset StCrdTp 

CReaderCoa 

SI, offset InitSdr 

CReaderCom 

SI, offset PowerOn 

CReaderCom 
SI,0001h 
BX,SCRATCHAREA 
DS,BX 

AL,04h 

DS 



;Set card type 
; Reset card 
;Apply power 



;lf return 
;card isn't 
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Jz 

somethin? is there. 



- 32 
WaltLoop 



;OthervlBe 



WaltCard 



Sti 
Ret 
Endp 



Get password £roin user and present to card 



10 GetPwd Proc 

Push 
- Push 
Push 
Push 
Label 
Mov 

character count 

Mov 

message 

Hov 
Call 
MOV 
MOV 

password prtmpt 

Call 
Mov 



15 PwdLoop 



20 



25 



Near 
AX 

cx 

OS 
DI 

Kear 
cx,ooh 

DX,0AiAh 



/initialize 
/Erase previous 



81, offset Erase 

strscr 

DX,0AlAh 

SI, offset PwdPmpt /Display 

strscr 
DI , FHDAddress 



ReadLoop 



Label 



30 



35 



Mov 

keyboard status label 

Mov DX, OlOlh 
Call strScr 
Mov AH,01h 

keyboard status 

Int I6h 
Call Dispstat 

Keyboard Status 

Jz ' ReadLoop 

en^ty buffer 



Near 

SI, offset KbdStat 



/Display 



/Check 



Mov 

40 the rig^t place 

Add 
Call 



45 from ke^oard 



Mov 

Int 



DX,CX 

DX,0A24h 
CurPos 

AH, Oh 
16h 



/Display 
/Loop on 

/Put the cursor in 



/Read character 
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<BACKSPACE> 



5 <RETDRN> 



10 exceed eight 



Cmp 

Je 
Cmp 

Je 
Cop 
Je 
Cmp 

Jge 



Stosb 
presentation str 
Inc 

15 character count 

Mov 

Call 

Jmp 



EraseChar 
20 BACKSPACE 



there is? 



Label 
Cmp 
Je 



25 



30 



delete goto read loc^ 
Dec 

before backspace 
Dec 

count 

Call 

Mov 

Call 

Mov 

Call 

Jmp 
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AL,08h 

EraseChar 
AL,ODh 

SpaceFill 
AL,lbh 
SpaceFill 
CX,08h 

Beep 



CX 

AL, 'X' 

Displaychar 

ReadLoop 

Near 

CX.OOh 

Beep 

DI 

CX 

DisplayChar 
AL, ' ' 
DisplayChar 

AL,08h 

DisplayChar 

ReadLoop 



35 Beep 

continue 



LeUsel Near 

Mov AL,07h 
Call DisplayChar 
Jmp ReadLoop - 

40 S pace Fill Label Near 
RETDRN or ESC 

• Mov AL,' ' 

spaces . 

padloop label near 
45 Cmp CX,08h 

Jge Presentpv 
padding, send pv 



; Check for 

; Check for 

; check for <ESO 
; Length cannot 

; Store as part of 
/Increment 



/Process a 
;IB backspace all 
;if no chars to 
; Remove character 
/Decrement char 



;Ring the bell and 



/User has pressed 
/Pad out pwd with 

/After space 
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10 



15 



20 



Stosb 
Inc 

Presen^v Label 
;j)op codeOK 

Hov 

present code cmd 
Hov 
Hov 
Stosb 
Hov 
Stosv 
Hov 
Stosv 
Hov 
StoSw 



the reader 



Hov 

Hov 
HOV 
Call 



Hov 

25 response string 
Lodsb 

Te 

Lodsb 
30 rnip 



(1) 



35 



CcordLock 



40 



45 



- Je 

H6V 
Hov 
Call 
J'ap 

Label 

Hov 

Mov 

Call 

Hov 

Hov 

Call 

Hov 

Hov 

Call 

Hov 

Hov 



CX 

padloop 
Near 

AX,0C000h 

DI,AX 
AL,OEh 

AX,000DAh 

AX, 002 Oh 

AX,0804h 

SX,0COOOh 

AX,SCRATCHARE& 

DS,AX 

CReaderCom 

SI, 0003 

AL,90h 
CodeOK 

AL,40h 

CardLock 

D3r,0ClAh 

SI, offset BadPass 

StrScr 

PwdLoop 

Near 

DX,0AlAh 

SI, offset Erase 

StrScr 

DX,0ClAh 

SI, offset Erase 

StrScr 

OX,0B20h 

SI, offset CdLck 

StrScr 

DX,OClAh 

SI, offset CdLck2 



; Pill-in rest of 



; Present the code to 



;Look at the card 



;90h B code ok 



; 984 Oh = card locked 



;Give it another try 
;Card is locked... 



/Inform user 
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LockLoop 

CodeOK 
OK. . . 



10 



15 



20 GetPwd 



Call strScr 

MOV SI, off set PowerOff 

Call CReaderCon 

Label Near 

Smp LoOcLoop 



L£ibel Near 



Mov 

Mov 

Call 

Mov 

Nov 

Call 

Pop 
Pop 
Pop 
Pop 
Ret 
Endp 



DX, OClAh 

SI, offset Erase 

StrScr 

DX,QClAb 

SI, offset Corrct 
StrScr 



DI 
DS 
CX 
AX 



;Hang in infinite 



/Presentation was 



;lnfom user 



/Cleanup and return 



25 



30 



Load partition boot record from card 
ReadPBR 



PBR file 



Proc 
Push 

Mov 

Call 



Nov 
at 7000:CO0O 

Nov 
Nov 

35 bytes 

Stosw 
Mov 
-Stosw 
Xor 

40 Stosw 
Nov 
Stosb 



45 bytes read 



Xor 

Mov 
Label 



Near 
DS 

SI , offset SelPbrFl 

CReaderCom 

AX, OCOOOh 

DI,AX 
AX,0DB06h 

AX,0B200b 

AX,AX 

AL,34h 

OX,DX 

BH,011l 
Near 



/Select the 

/Form command 
/Store commaind 



/Init no. 



RFLoop 
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Hov 


AX, 0C0O4h 






Hov 


DI,AX 






Mdfv 


AX,DX 






Hov 


CL,04h 


5 




Div 


CL 






Stosb 








Cmp 


BH,OAh 






Jne 


SendSdCmd 






Inc 


DI 


10 




Mbv 


AL,2Ch 






Stosb 






SeudEdCnid. 


Label 


Near 






Kov 


SZ,0COO0k 






Mov 


AX,SCRAIFCHAR£A 


15 




Mov 


DS,AX 






Call 


CReaderCom 






Push 


ES 






Xor 


AX,AX 






Mov 


ES,AX 


2a 


segment 0000 








Kov 


SI, 0003 




bytes 










Mdv 


AX,PBRAddre8S 






Add 


AX,DX 


25 




Mov 


DI,AX 






Add 


DXr0034h 






Mov 


CX,001Ah 






Cn^ 


ATT n&ft 






Jne 


DoCopy 


30 




Mov 


CX,0016h 




DoCopy 


Label 


Near 






Repz 








Movsv 






a time 






35 




Pop 


ES 






Inc 


BH 






Cap 


BH,OBh 






Jne 


RFLoop 






Pop 


DS 


40 




Ret 






ReadPBR 


Endp 





; Destination 
;S]cip header 



/Copy word at 



Check integrity of 10 .SYS 



45 CbklO Proc Near 

Mov 0X,0C2Ah 

Call CurPos 

Mov SI, offset Filel 



;Display filename 
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Call StxScr 

Push BX 

Mov BX, 0004h 

simulation 
5 Call Delay 

Pop BX 
Ret 

ChklO Bndp 



fSiiiple delay for 



10 ;Check integrity of MSDOS.SYS 



ChkHSDOS 
15 filename 



20 



25 



simulation 



CbkMSDOS 



Proc 


Near 




Mov 


DX, 0C2Ah 




Mov 


SI, offset 


SErase 


Call 


StrScr 




Mov 


DX, 0C2Ah 




Mov 


SI, offset 


File2 


Call 


StrScr 




Push 


BX 




Mov 


BX,0004h 




Call 


Delay 




Pop 


BX 




Ret 






Endp 







; Erase previous 
; Display filename 
/Simple delay for 



; Check integrity of COMMAND. COM 
30 ; 

ChkCMD 



filename 



35 



40 



45 



simulation 



ChkCHD 



Proc 


Near 




Mov 


bx,0C2Ah 




Mov 


SI, offset 


SErase 


Call 


StrScr 




Mov 


DX,0C2Ah 




Mov 


SI, offset 


File3 


Call 


StrScr 




Push 


BX 




Mov 


BX,0004h 




Call 


Delay 




Pop 


BX 




Ret 






Endp 







; Erase previous 
/Display filename 
/Simple delay for 
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Cheak integrity of CONFIG.SYS 



CfakCF6S7S Proc 

5 

Mov 

filename 

Mov 
Call 

10 Mov 
Mov 
Call 
Push 
Mov 

15 sinolation 

Call 
Pop 

- Ret 
20 ChkCFGSYS Endp 



2S 



30 



35 



40 



SendByte Proc 
45 Push 

MOV 

Push 

Push 



Near . 

DX,0C2Ah 

81, Of feet SErase 

StrScr 

DX,0C2Ah 

SI, Off set File4 

StrScr 

BX 

BX,0004h . . 

Delay 
BX 



Kear 
BP 

BP,SP 

AX 

OX 



; Erase previous 
; Display filename 
; Simple delay for 



Busy wait: 

- duration passed in BX 



>elay Proc Near 

Push BX 

Push CX 
>LoapO Label Near 

Mov CX,0000 
tlKJopl Label Kear 

Inc CX 

Cn^ CX,OFPFFh 

Jne DLoopi 

Dec BX 

Jnz DLoopO 

Pop CX 

Pop BX 

Ret 
elay Endp 



Transmit byte to COMl: 

- byte passed on stack 
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SendDly 
overrun 



Mov 
Label 

Inc 
Cap 
Jnz 



DX, 0000 
Near 

DX 

DX, OOFFh 
SendDly 



; Delay to prevent 



Mov DX,C0M1_CTL_REG ; Indicate send 



10 



15 



20 SendByte 



Nov 
Out 

Mov 
Mov 
Out 

Pop 
Pop 
Pop 
Bet 
Endp 



AL,OBh 
DX,AL 

DX,C0K1_DATA_RE6 ; Output byte to port 

AL,byte ptr [BP+4] 

DX,AL 



DX 
AX 
BP 



Transmit ASCII representation of byte to COMl: 
- byte passed on stack 



25 ASendByte Proc 
Push 
Mov 
Push 
Push 

30 Push 

Mov 

Mov 
Mov 

Shr 



Cmp 
Jge 
Add 



35 

(A..P) ? 

for letter 

40 for ntimber 

HAlpha Label 
Add 

letter 
45 Hsend Label 
Push 



Near 
BP 

BP,SP 
AX 
DX 
CX 

AL,byte ptr [BP+4] 

AH, 00 
CL, 04h 
AX,CL 

AX,0Ah 

HAlpha 

AI. ,30h 

BSend 

Near 

AL,37h 

Near 
AX 



;Get byte 

;Arith shift right 
/Result > 10 
;Ye6, calc ASCII 
;Ho, calc ASCII 

;Calc ASCII for 
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Call 

calculated byte 
Add 



10 



nibble 

(A..P) ? 

for letter 

for number 

15 L&lpha 

letter 
Lsend 



MOV 

And 

Jge 
Add 



iTnsp 

Label 

Add 



Label 
Push 

20 call 
calculated byte 
Add 



25 



Pop 
Pop 
Pop 
Pop 

Ret 

ASendByte Endp 
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SendByte 
SP,02h 

AL,byte ptr [BP+4] 
AX,OOOFh 

AX,OAh 

LAlpha 

AL,30h 

LSend 

Near 

AL,37h 

Near 
AX 

SendByte 

SP,02b 

CX 
DX , 
AX 
BP 



30 



35 



;Get byte from COMl: 

; -byte returned in AL 



;Send out 

jHask out high 
/Result > 10 
;7e8, calc ASCII 
;No, calc ASCII 

;calc ASCII for 

;Send out 



RcvByte 



ready 
GetByte 



40 



45 



RcvByte 



Proc 
Push 

Mov 

Label 
In 
And 
Jz 

Mov 
In 

Pop 
Ret 
Endp 



Near 
OX 



DX,OC»Il_ETAT_REG ;Wait for receive 

Near 
AL,DX 
AL,01h 
GetByte 

DX,C0M1_DATA__REG. ;Get byte 
AL,DX 



DX 
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;Get byte from COMl: converting from ASCII representation 
to byte 

-byte returned in AL 
->ETX retumB 01 in AR, 00 otherwise 



10 



15 



20 



ARcvByte 



port 



high nild>le 



Proc 
Push 
Push 

Call 

Cmp 
Je 

Cxsp 



BNumCvt 



RevLow 
25 in BL 
from port 
nibble 

30 

LNumCvt 



35 



Combine 



40 into byte 



RcvEtx 



45 RcvDone 



Jge 

Sub 

Jttp 

Label 

Sub 

Label 
Nov 

Call 

Cnp 

Jge 

Sub 

Jmp 

Label 

Sub 

Label 

MOV 

Shi 
Or 

MOV 

Label 
Mov 

Label 
Pop 
Pop 
Ret 



Near 

BX 

CX 

RevByte 

ALrETX 
RcvEtx 

AL,41h 

HNunCvt 

AL,30h 

RcVLov 

Near 

AL,37h 

Near 
BL,AL 

RcvByte 

AL,41h 

LNumCvt 

AL,30h 

Combine 

Near 

AL,37h 

Near 
CL,04 
BL,CL 
AL,BL 

AR,00 

RcvOone 

Near 
AH, 01 

Near 

CX 

BX 



;6et a byte from 
;Is it ETX? 

;Not ETX, convert to 



; Store high nibble 
;6et another byte 
; Convert to low 



; Combine h/1 nibbles 



;ETX, set AH 



Copyright rights and all other rights reserved. 



wo 93/17388 



PCT/US93/01675 



- 42 - 



ARcvByte Endp 



;Send HRK to reader/writer (request retransmission}' 



5 SendN&K 



10 



15 



20 



25 



byte 



30 SendHAK 



Proc 
Push 

Hov 
Push 
Call 
Add 

Hov 
Push 
Call 
Add 

Mbv 

Push 
Call 
Add 

Hov 
Push 
Call 
Add 

Pop 
Ret 
Endp 



Near 
AX 

KL,mK 
AX 

ASend^^e 
SP,02h 

AL,00 
AX 

ASendByte 
SP,02h 

Ai;,NAK 

AX 

ASendByte 
SP,02h 

AX,ETX 
AX 

SendByte 
SP,02h 

AX 



;Tr€uismit max 



/ComBand -liehgth is 0 



;CRC is just NAK 



/Transmit ETX 



;8end command to reader/writer 

; -check response for NAK and retransmit if 

necessary 

[ -pointer to string passed in DSsSX 



CReaderCom Sroc 
Push 

Push 

40 Push 
Push 

CommandLoop Label 
Push 
Push 

45 Call 
oammand 



Near 

AX 

BX 

CX 

DX 

Near 

OS 

SI 

ReaderCom 



;Send reader /writer 
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Call 

response 

Push 
Pop 

5 Mov 

Lodsb 

of response 

Qnp 

received propiarly 
10 Jne 
recleved OK 

Pop 
Pop 
Jmp 

15 RecvOK Label 
Pop 
Pop 
Pop 
Pop 

20 Pop 
Pop 
Ret 

CReaderCom En(^ 
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CXSetResp 



DS 

SI, 0000 



AL^NAK 
RecvOK 
SI 

ICommandLoop 

Near 

SI 

DS 

DX 

CX 

BX 

AX 



;Get reader /writer 



;Look at first byte 
;NAK? message not 
;Not NAK, message 



;Try again 



25 



30 



35 



40 



send command to reader/vriter 

^pointer to string passed in DS:SI 



ReaderCoB 



length 



length 
45 Comlioop 
byte 



Proc 


Near 




Nov 


AL,ACK 


;Transmi-k ACK 


Mov 


BL,AL 


; Store for CRC 


Push 


AX 




Call 


ASendByte 




Add 


SP, 02h 




Lodsb 




;Load command length 


Xor 


BL,AL 


; Compute CRC 


Push 


AX 




call 


AsendByte 


; Transmit command 


Add 


SP,02h' 




Mov 


CL,AL 


;Loop on commcind 


Mov 


DL,00 




Label 


Near 




Lodsb 




;Get next command 


Xor 


BL,AL 


; Compute CRC - 
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byte 



10 CRC 



15 



Push 
Call 


AX 

ASendByte 


Add 
Inc 
Cmp 
Jnz 


SP,Q2h 
DL 

DL,CL 
CamTiOot) 


Push 


BX 


Call 
Add 


ASendByte 
SPr02h 


Mov 
Push 
Call 
Add 


AL.ETX 
AX 

SendByte 
SP,02h 


Ret: 
Ecidp 





/Transmit: command 



; Transmit computed 



/Transmit ETX 



?Get response from reader /writer 

- checlcs response CRC and requests 
retransmission if necessary 
25 ; , 



OGetResp 
RespLoop 



Proc 



Label 
Mov 

destination ptr 
30 Call 
string 

Cmp 
Jz 

finished 
35 Call 
request retrans 
ftTmp 



RespDone 
40 CGetResp 



Label 

set 

Endp 



Near 

Near 
DI,0000 

GetResp 

ALrOO 
RespDone 

SendNAK 

RespLoop 

Near 



/Initialize 

;Get the response 

;No error, we're 
/Error in response ,^ 



Get a response string from reader /writer 

. -response string stored starting at ES:DI 



45 GetResp Proc Near 
CharLoop Label Near 
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10 response 



Mov 

Call 

Stosb 

Xor 

cmp 

Jnz 

Xor 
Dec 

Dec 

Lodsb 

Xor 



IS cap 
calculated CRC 
Jz 
Mov 

error 
20 Ret 



SespOK 
error 
25 GetResp 



Label 
Mov 

Ret 
Endip 



BL,.00 
ARcvByte 

BL,AL 
AH, 01 
Char Loop 

BLfETX 
DI 

DI 

BL,AL 

AL,BL 

RespOK 
AL,01 



Near 
AL,00 



; Initialise for CRC 
;Recieve byte 

; Calculate CRC 
; Repeat until ETX 



; Remove ETX from CRC 
;6et CRC fron 



; Remove CRC from CRC 
; Compare with 

; Return AL=Ol i£ 
/Return AL^OO if no 



; Display Contents of AX Register 



30 



35 



40 



;Save registers 



Dispstat Proc Near 
Push CX 
Push BX 

Mov CX,0004h ; Shift by one nibble 
Mov BX,AX ;Save AX in BX 



Mov AL,AH 
Shr AL,CL 
Call DispNibble 

Mov AX,BX 
Mov AL,AB 
Call DispNibble 

Mov AX,BX 
Shr AL,CL 
Call DispNibble 

Mov AX,BX 
Call DispNibble 



; Reset AX 



; Reset AX 



; Reset AX 
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5 Dispstat 



Mov AX,BX 
Pop BX 
Pop CX 
Het 
Sndp 



/Reset AX 



Display character and 
-character to 



advance cursor 

be displayed is passed in AL 



xo OisplayChar 



15 should go a«ray) 



Proc 
Push 
Push 
Push 
Hbv 

Mbv 



20 



count 



25 DisplayChar 



MOV 
Int 
Pop 

Pop 
Pop 
Ret 
Endp 



Hear 
AX 
BX 
CX 

AH,Oeh 

BH^OOh 

CX, 01 
lOh 
CX 

BX 
AX 



;Save contents of AX 
;Save contents of BX 
;Save character count 
;Display X's this 

; Select video page 



;Echo character 
/Restore CX to character 



/Restore BX 
/Restore AX 



Display niUt»le - character to be displayed is 
peissed in the lower nibble of AL 



30 DispNibble 



35 



40 



letter 



45 DispKibble 



Proc Near 

Push AX 
And AL^-OFh 
Cmp AL,OAh 
Jge letter 
Add AL, '0' 

Call DisplayChar 

Pop AX /Restore AX 

Ret 

Label Hear 
Sub AL, OAh 
Add AL, 'A' 

Call DisplayChar 

Pop AX /Restore AX 

Ret 



/Save contents of AX 
/Mask AL 

/Display A-F not digit 



Send string to screen 

-pointer to string passed in DS:SX 
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-location on Bcreen passed in DX (row, col) 



strScr 



Proc 
Push 
Push 
Push 



Hov 

service 9 

Hov 

10 Lodsb 

Mov 

byte 

Mov 

one of each char 
15 Scrloop Label 

Call 
Lodsb 

■ • - •■ -Or 

string byte? 
20 jz 
done. . . 

mt 

display character 

Inc 

2ff cursor position 

Jmp 

next character 
ScrDone Label 



30 



StrScr 



Pop 
Pop 
Pop 
Ret 
Endp 



Near 

AX 

BX 

cx 

AH, 09 

BH,00 

BL,AL 

CX,0001 

Near 
CurPos 

AL,AL 

ScrDone 

lOh 

DX 

ScrLoop 

Near 

CX 
BX 
AX 



35 



40 



45 



Draw box frai&e for dialog 



DravBox 



Proc 

Mov 

Call 

Mov 

Mov 

Mov 

Mov 
Mov 
Int 



Near 
DX,0517h 
CurPos 
AH, 09 
BE, 00 
BL,07 

CX,0001 
AL,0C9h 
lOh 



; Interrupt 10 
; Video page 0 
;Load attribute 
;Only display 

;Move cursor 
;Our end of 
;If so, we're 
/Otherwise 
; Increment 
; Repeat with 



/Service 9 
/Primary video page 
/Character attribute 

/Display only one 
/Upper left comer 



Mov DX,0518h /Top bar 
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10 



15 



20 



25 



30 LSide 



35 



RSlde 



40 



DravBox 



Call 


CurPos 






Mov 


CX^OOlTb 


Znt 


lOh 




uji.f voj la 


Call 


CurPos 


Kov 


ALrOmh 


Hov 


CX,0001 


Int 


lOb 




DXf 0£X7n. 


call 


CurPos 


Uov 


Ml, 0C8h 


mt 


lOb 




uTif OEXBn 


call 


CurPos 


Mov 


AL,OCOh 


HOV 


CX,001Ili 


Int 


lOh 


Hov 


OX,OE37h 


Call 


CurPos 


Hbv 


AL,OBCh 


flOV 


CXyOOOl 


Int 


lOh 


Mov 


OX,0617h 


Hov 


AL,OBAh 


Label 


Near 


Call 


CurPos 


Int 


lOh 


Add 


DX,0100h 


cup 


DX,0E17h 


Jn& 


LSlde 


Hov 


DX,0637h 


Label 


Near 


Call 


CurPos 


Int 


lOh 


Add 


DX,0100h 


Cmp 


DX,0E37h 


Jne 


SSlde 


Ret 




Endp 





;ITpper right cozmer 



; Lower left comer 



; Bottom bar 



;Lover right comer 



;Left side 



;Right side 



45 



; Clear screen 
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cirscr 



10 spaces 



15 



again 



20 



25 ClrScr 



Proc 
Push 
Push 
Push 
Push 

Mov 
Call 

Mov 

Nov 
Mov 
Nov 
Mov 
Int 

Mov 

Call 

Pop 
Pop 
Pop 
Pop 
Ret 
Endp 



Near 

AX 

BX 

CX 

OX 

DX,0000h 
CurPos 

AH,09h 

CX,0800h 
AL,020h 
BH, OOh 
BL,07h 
lOh 

DX,0000 

CurPos . 

DX 
CX 
BX 
AX 



}Eome cursor 
;F111 screen with 



;Hone cursor yet 



3D 



35 



40 



Set cursor position 

-cursor row passed in DH 
-cursor coluam passed in OL 



CurPos 



service 2 



CurPos 



Proc 


Near 


Push 


AX 


Push 


BX 


Mov 


AH, 02 


Mov 


BH,00 


Int 


lOh 


Pop 


BX 


Pop 


AX 


Ret 




Endp 





; Interrupt lo 
;Video page 0 



45 



Data area 

- Console messages 
— - ISO cQBtmand strings 
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/Console messages 

STitle DB 
S ;Chsur attribute (clr) 

DB 

/String 

DB. 

;Bnd of string marker 
10 SSTitle DB 

DB 
DB 

^srtCrd DB 

DB 

15 DB 
SErase DB 
DB 
DB 

Erase DB 
20 DB 

DB 

PudPmpt DB 

DB 
DB 

25 BadPass DB 

DB 
DB 

Corrct DB 

DB 

30 DB 
CdliCk DB 

DB 
DB 

CdLck2 DB 
35 DB 

DB 

SbdStat DB 

DB 
DB 

40 FileCUc DB 

DB 
DB 

Filel DB 

DB 

45 DB 
File2 DB 

DB 
DB 

File3 DB 



OAh 

'^Boot Integrity Token System' 

OOh 

OAh 

'DOS-BITS Version 1' 

OOh liv. 
07h 

'Please insert card. . . ' 

OOh 

07h 

■ r 

OOh 

07h; . 

OOh 
07h 

'Password: ' 

OOh 

07h 

'Incorrect. Please trv again.' 

OOh 

07h 

'Loading operating system...' 

OOh 

OFh 

'Card is lockedl' 

OOh 

OFh 

'Please see Security Manager.' 

OOh 

07h 

'Keyboard Status: ' 
OOh 

07h 

'Checking files: ' 

OOh 

07h 

'lO. SYS' 

OOh 

07h 

'MSDOS.SYS' 

OOh 

07h 
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DB 


'COMMAND. COM' 




OB 


OOh 




Do 






DB 


'CONFIG.SYS' 




OB 


OOh 


BadFile 


DB 


07h 


filel' 


DB 


'MisBing or connipted 


DB 


OOh 


OKFlle 


DB 


07h 




DB 


'Files OK. Booting'.. 




DB 


OOh 


;Sh2ured 


secret i card/PC) 


data 


SharSec 


DB 


OOh 



15 ;Reader and card camnand strings 



InltRdr 
StCrdTp 
SstCard. 
PoverOn 
20 PowerOff 
SelPbrFl 



DB 04h,03h,0Fh,0OOh,0Ah 

DB 03h,02h,02h,00h 

DB 04h, 03h, OFh , ODOb , OAh 

DB 04h,6Eh,01h,O0h,OOh 

DB 01h,4Dh 

DB 06h,0DBh,O0h,OA2h,02h,7Eh,08h 



; Operating system filenaxnes 



SysFilel 
Sy8File2 
25 SysPileS 



DB 
DB 
DB 



'10 SYS' 
'MSDOS SYS' 
'COMMAND COM' 



;End, data area 
Cseg Ends 
END 
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nhat is claimed Is: 

1. A metlic^ for reducing the possibility of 
corruption of critical information required in the 
operation of a coi^uter con^rising: 

5 storing the critical information in a device, 

communicating authorization information between 
the device and the computer, and 

causing the device, in response to the 
authorization informiation, to enable the computer to read 
10 the critical information stored in the device. 

2. The method of claim 1 herein the steps of 
communicating authorization information and enabling the 
conputer to read coaprise 

a user entering a password, and 
15 the device verifying the password. 

3. I9ie method of claim 1 herein the 
authorization information comprises biometric information 
about a user. 

4. The method of claim 1 further comprising 
20 storing a password in the device, 

in the device, comparing the stored password with 
an externally supplied password, and 

basing a determination of whether to enable the 
computer to read the stored critical information on the 
25 results of the step of comparing the passwords. 

5. The method of claim l herein the device 
conprises a microprocessor and a memory. 

6. The method of claim 5 wherein the device 
comprises a pocket-sized card containing the 

30 microprocessor and the memory. 

7. The method of claim 1 wherein said critical 
information con^rises boot-sector information used in 
starting the cos^uter. 
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8. n&e method of claim l wherein said critical 
information compriseB executable code. 

9. The method of claim 1 wherein said critical 
information comprises system data or user data. 

5 10. The method of claim i further comprising 

the computer booting itself from the critical 
information read from the device. 

11. The method of claim l wherein the computer 
booting itself comprises executing modified boot code in 

10 place of normal boot code. 

12. The method of claim li further comprising 
storing the modified boot code in the form of a Bios 
extension. 

13. The method of claim 1 wherein the steps of 
15 communicating authorization information and enabling the 

coiq>uter to read, cos^rise 

the device passing to the computer, secret 
information shared with the computer, and 

the computer validating the shared secret 
20 information passed from the device. 

14. The method of claim l wherein the 
authorization information comprises file signatures for 
executable code. 

15. The method of claim 1 wherein the 
25 authorization information comprises a user's 

cryptographic key. 

16. The method of claim 13 wherein the shared 
secret information comprises a host access code. 

17. The method of claim 1 wherein the stored 

30 critical information includes file integrity information. 
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18. A method of booting a computer, comprising 
storing, In a device %rtilch is separate from the 
camputerf boot Information, user authorization 
informa'tion, and device authorization information in the 
5 form of a secret shared with the con^uter, 

providing a communication link between the device 
and the computer, 

receiving possibly valid authorization information 
from a user, 

in the device, chedcing the possibly valid 
authorization information against the stored uaer 
authorization information to determine validity, 

if the password is determined to be valid, passing 
the boot information and the shared secret information 
15 from the device to the cos^uter, 

in the con^uter, checking the validity of the 
shared secret information, and 

if the shared secret information is valid, using 
the boot information in booting the computer. 

19. A method for initializing a device for use in 
reducing the possibility of corruption of critical 
information required in the operation of a computer 
comprising: 

storing the critical infoinoation in memory on the 

25 device, 

storing autiborization Information in memoary on the 

device, and 

configuring a microprocessor in the device to 
release the critical information to the con^uter only 
30 after completing an authorization routine based on the 
authorization information. 

20. The method of claim 19 lAerein said critical 
information con^rises boot information. 
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21. The method of claim 20 further comprising 
storing file integrity information in the memory of the 
device. 

22. The method of claim 20 further comprising 
5 storing system or user data in the device. 

23* The method of claim 20 further comprising 
storing executables in the memory of the device* 

24. A portable intelligent token for use in 
effecting a secure startup of a host computer comprising 

10 a housing, 

a memory within said housing, the memory 
containing information needed for startup of the host 
computer, and 

a channel for allowing the memory to be accessed 
15 eactemally of the housing. 

25. ThB token of claim 24 wherein said memory 
also contains a password for authorization, said token 
further comprising 

a processor for con^aring the stored password with 
20 externally supplied passwords. 

26. The token of claim 24 wherein the memory 
stores information with respect to multiple host 
computers. 

27. The token of claim 24 wherein said housing 
25 comprises a pocket-sized card. 
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